From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 22:27:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F359437B404 for ; Tue, 10 Jun 2003 22:27:30 -0700 (PDT) Received: from buexe.b-5.de (buexe.b-5.de [80.148.32.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4127143F75 for ; Tue, 10 Jun 2003 22:27:29 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9])h5B5R6J03221; Wed, 11 Jun 2003 07:27:07 +0200 Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 5975D5F9; Wed, 11 Jun 2003 07:27:05 +0200 (CEST) Date: Wed, 11 Jun 2003 07:27:05 +0200 To: "Crist J. Clark" Message-ID: <20030611052705.GC26930@lupe-christoph.de> References: <20030607111540.GC4812@lupe-christoph.de> <20030610230744.GD44069@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030610230744.GD44069@blossom.cjclark.org> User-Agent: Mutt/1.5.4i From: lupe@lupe-christoph.de (Lupe Christoph) cc: freebsd-security@FreeBSD.ORG Subject: Re: Impossible to IPfilter this? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2003 05:27:31 -0000 On Tuesday, 2003-06-10 at 16:07:44 -0700, Crist J. Clark wrote: > On Sat, Jun 07, 2003 at 01:15:40PM +0200, Lupe Christoph wrote: > > block in log quick from any to 172.17.0.7 > > It is not attached to any interface, so it should supposedly work even > > for tunnelled traffic. Only it doesn't. > Not sure who told you that, but it won't affect tunneled traffic. Not > specifying an interface just means that it will be applied to all > interfaces. Sigh. I noticed. It was just a try, nobody told me. > > PS: There was talk about the sequence IPFW/IPNat/IPFilter get invoked. > > It would be interesting to put the IPSec code in this picture. Are > > IPSec packets going through *any* of them? With/out GIF? > Here's what happens (approximately), the packets get fed to the > ip_input() routine. They pass through IPFilter then IPFW. Later they > find themselves in IPsec processing where the packets are taken out of > the tunnel. At this point, the packets are fed back into ip_input(), > BUT the reinjected packets skip all firewall processing on this > pass. With the IPSEC_FILTERGIF option set, the packets _will_ go > through the firewall, IPFilter then IPFW, after IPsec processing. ... even if they are not passing through a GIF interface? My LINT says # Set IPSEC_FILTERGIF to force packets coming through a gif tunnel # to be processed by any configured packet filtering (ipfw, ipf). And I could not get GIF to work with FreeS/WAN. > However, there may be an ugly hack to try here. I think I might try it > on one of my experimental setups at home. It may be possible to set up > some additional IPsec policies to block the traffic you want to stop. That could be very interesting. Thank you! Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |